MCP Server

Supported modes: Hosted Local Available in: Free Solo Teams (hosted MCP: Teams Coming Soon)

When NOT to use this

This MCP server lets Claude (or any MCP-capable client) administer your Control Zero policies via prompt -- create projects, edit rules, review audit logs. It does NOT govern Claude's tool calls. To govern what Claude Code can do (Bash, Read, Write), use coding hooks. To govern tool calls in your own AI app, use the SDK.

The Control Zero MCP server lets you manage governance directly from AI coding clients. Create projects, define policies, review audit logs, and manage secrets, all without leaving your editor.

What It Does

The MCP server exposes Control Zero's management API as MCP tools. Any MCP-compatible client can call these tools, giving your AI coding assistant full access to your governance configuration.

Use cases:

Ask your AI assistant to create a new policy for your project
Review recent audit log entries from your editor
Manage secrets and API keys without switching to the dashboard
Scan projects for governance gaps inline

Installation

npx @controlzero/mcp-server

The server starts on stdio transport by default, which is what most MCP clients expect.

Client Configuration

Claude Desktop

Add to your Claude Desktop configuration file (claude_desktop_config.json):

{
  "mcpServers": {
    "controlzero": {
      "command": "npx",
      "args": ["@controlzero/mcp-server"],
      "env": {
        "CONTROLZERO_API_KEY": "cz_live_your_key_here"
      }
    }
  }
}

Claude Code

Add to your Claude Code MCP configuration:

{
  "mcpServers": {
    "controlzero": {
      "command": "npx",
      "args": ["@controlzero/mcp-server"],
      "env": {
        "CONTROLZERO_API_KEY": "cz_live_your_key_here"
      }
    }
  }
}

Cursor

In Cursor settings, navigate to MCP Servers and add:

{
  "controlzero": {
    "command": "npx",
    "args": ["@controlzero/mcp-server"],
    "env": {
      "CONTROLZERO_API_KEY": "cz_live_your_key_here"
    }
  }
}

Windsurf

Add to your Windsurf MCP configuration:

{
  "mcpServers": {
    "controlzero": {
      "command": "npx",
      "args": ["@controlzero/mcp-server"],
      "env": {
        "CONTROLZERO_API_KEY": "cz_live_your_key_here"
      }
    }
  }
}

VS Code

Add to your VS Code MCP settings (.vscode/mcp.json):

{
  "servers": {
    "controlzero": {
      "command": "npx",
      "args": ["@controlzero/mcp-server"],
      "env": {
        "CONTROLZERO_API_KEY": "cz_live_your_key_here"
      }
    }
  }
}

Gemini CLI

Add to your Gemini CLI MCP configuration:

{
  "mcpServers": {
    "controlzero": {
      "command": "npx",
      "args": ["@controlzero/mcp-server"],
      "env": {
        "CONTROLZERO_API_KEY": "cz_live_your_key_here"
      }
    }
  }
}

Available Tools

The MCP server exposes 7 tools for managing your Control Zero governance:

Policy Management

Tool	Description
`list_policies`	List all active governance policies
`create_policy`	Create a new governance policy (Model Block, Cost Cap, PII, Identity)
`update_policy`	Update an existing governance policy
`delete_policy`	Delete a governance policy
`provision_safeguards`	Rapidly provision standard security safeguards (PII block + cost cap)
`check_policy`	Pre-flight check whether a specific action would be allowed or denied by active governance policies
`expert_query`	Query the Control Zero expert knowledge base (topics: `pii-patterns`, `best-practices`)

Available Resources

The server also exposes read-only reference resources:

URI	Description
`cz://docs/pii-patterns`	PII regex reference with GDPR / HIPAA / PCI DSS mappings
`cz://docs/best-practices`	AI governance best practices (fail-closed, audit-before-deny, least privilege)

Available Prompts

Prompt	Arguments	Description
`setup-hipaa-compliance`	`project_name` (req.)	Template for provisioning HIPAA-compliant PII masking

Example Usage

Once configured, you can interact with Control Zero through natural language in your AI coding client:

Create a policy:

"Create a Control Zero policy called 'read-only-agent' that allows database:query but denies database:execute and database:delete for the project my-agent."

Review audit logs:

"Show me the last 10 denied actions in the audit log for project my-agent."

Manage secrets:

"List all secrets stored in my Control Zero project."

Check project status:

"What policies are active in my production-agents project?"

Hosted MCP: Teams -- Running the MCP server locally is available on all tiers. Hosted MCP provisioning (managed, no local install needed) is available in Teams. View pricing

Authentication

The MCP server authenticates using your Control Zero API key. Pass it via the CONTROLZERO_API_KEY environment variable in your client configuration.

For organization-level operations (listing projects, creating projects), use an organization token. For project-scoped operations, a project API key is sufficient.

Governing MCP tool calls: Govern MCP tool access with policies.
MCP Integration: MCP integration overview.
API Reference: Full API documentation.
CLI Scanner: Scan projects for governance gaps.

What It Does​

Installation​

Client Configuration​

Claude Desktop​

Claude Code​

Cursor​

Windsurf​

VS Code​

Gemini CLI​

Available Tools​

Policy Management​

Available Resources​

Available Prompts​

Example Usage​

Authentication​

Related​